APIM error with managed certificate - Failed to update API Management service hostnames

Question

APIM error with managed certificate - Failed to update API Management service hostnames

Rodolfo Grave 5

Our APIM has been working OK for a couple of years. All of a sudden, we have started to see ERR_CERT_COMMON_NAME_INVALID errors from the clients.

We are using a managed certificate for a custom domain, and it shows up with a warning on the "Custom domains" pane: Expiry: 15/04/2026

We haven't reached that date yet, so the certificate should be valid.

On inspection, the clients are receiving a different certificate that is for *.azurewebsites.net?

Issued To:
- Common Name (CN): *.azurewebsites.net
- Organisation (O): Microsoft Corporation
- Organisational Unit (OU): <Not part of certificate>
Issued By:
- Common Name (CN): Microsoft Azure RSA TLS Issuing CA 07
- Organisation (O): Microsoft Corporation
- Organisational Unit (OU): <Not part of certificate>
Validity Period:
- Issued On: Saturday, 7 March 2026 at 18:05:24 Expires On: Wednesday, 26 August 2026 at 00:59:59

Notice the issuance date of this new certificate: 7/March, which is when we started facing this issue.

We haven't changed any configuration on the APIM instance. What's going on and how do we fix it?

Rodolfo Grave 5 Reputation points

2026-03-25T12:04:12.9466667+00:00

Thanks for your response.

According to the error message, the "period" ended on the 15th/March and there shouldn't have been any impact on existing instances.

There are no network restrictions on this APIM instance.

We would like to get it working with managed certificates, please. We don't have processes in place to provision certificates from other providers.

I can confirm that the DNS configuration is unchanged and still correct.

What would be the next step to troubleshoot managed certificates.

Update APIM service 'xxxx' failed. The HostnameConfiguration includes a new Managed Certificate Request, which is temporarily not supported during update from August 15th 2025 to March 15th 2026. All the configured custom domains with Managed Certificate can still be reachable without any impact. Please refer to API Management documentation here: https://learn.microsoft.com/en-us/azure/api-management/breaking-changes/managed-certificates-suspension-august-2025
Siddhesh Desai 4,895 Reputation points Microsoft External Staff Moderator

2026-03-25T13:35:02.2066667+00:00

Hi @Rodolfo Grave

Can you please fill this form: Create Support Ticket
Siddhesh Desai 4,895 Reputation points Microsoft External Staff Moderator

2026-03-31T07:00:10+00:00

Hi @Rodolfo Grave

Backend Engineering team has confirmed this issue is caused by a bug and they are still investigating, but they have provided below resolution for your issue:

For service "rsi-api" I saw customer changed to use their own certificate instead of free certificate, so nothing I can do here to change back for them to keep using free certificate. For service "nemsprdwebappp0apimngt", I manually fix the custom domain issue, their custom domain should be able to use already with free certificate.
Siddhesh Desai 4,895 Reputation points Microsoft External Staff Moderator

2026-03-31T07:07:34.1433333+00:00

@Rodolfo Grave

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer =>Yes, and upvote it. If you have any further queries do let us know.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

2 answers

Your answer

Rodolfo Grave 5 Reputation points

2026-03-25T12:04:12.9466667+00:00

Thanks for your response.

According to the error message, the "period" ended on the 15th/March and there shouldn't have been any impact on existing instances.

There are no network restrictions on this APIM instance.

We would like to get it working with managed certificates, please. We don't have processes in place to provision certificates from other providers.

I can confirm that the DNS configuration is unchanged and still correct.

What would be the next step to troubleshoot managed certificates.

Update APIM service 'xxxx' failed. The HostnameConfiguration includes a new Managed Certificate Request, which is temporarily not supported during update from August 15th 2025 to March 15th 2026. All the configured custom domains with Managed Certificate can still be reachable without any impact. Please refer to API Management documentation here: https://learn.microsoft.com/en-us/azure/api-management/breaking-changes/managed-certificates-suspension-august-2025
Siddhesh Desai 4,895 Reputation points Microsoft External Staff Moderator

2026-03-25T13:35:02.2066667+00:00

Hi @Rodolfo Grave

Can you please fill this form: Create Support Ticket
Siddhesh Desai 4,895 Reputation points Microsoft External Staff Moderator

2026-03-31T07:00:10+00:00

Hi @Rodolfo Grave

Backend Engineering team has confirmed this issue is caused by a bug and they are still investigating, but they have provided below resolution for your issue:

For service "rsi-api" I saw customer changed to use their own certificate instead of free certificate, so nothing I can do here to change back for them to keep using free certificate. For service "nemsprdwebappp0apimngt", I manually fix the custom domain issue, their custom domain should be able to use already with free certificate.
Siddhesh Desai 4,895 Reputation points Microsoft External Staff Moderator

2026-03-31T07:07:34.1433333+00:00

@Rodolfo Grave

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer =>Yes, and upvote it. If you have any further queries do let us know.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 1

Hello Rodolfo Grave,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that your APIM error with managed certificate - Failed to update API Management service hostnames.

For more clarification regarding your issue, managed certificate renewal failed due to new DigiCert validation requirements and platform transition. Because Azure changed validation rules and your configuration no longer satisfies the requirements. You will need to fix network and DNS validation requirements (port 80, DigiCert access, CAA), then force certificate revalidation (remove/re-add domain); otherwise use a custom certificate as immediate recovery.

Verify failure by checking CN mismatch (*.azurewebsites.net) and unbound managed cert, then correct validation requirements: open port 80, allow DigiCert IPs in NSG/WAF, and ensure DNS resolves correctly. Add a required CAA record: CAA 0 issue "digicert.com" to permit issuance Microsoft Docs – Custom domain & cert requirements, Managed cert changes.
Force renewal by removing and re-adding the custom domain in APIM (Option A), or retry after service restoration timelines if blocked (Option B). After rebind, confirm the certificate CN matches your domain and test via browser or curl -v https://yourdomain to ensure TLS is correctly served Microsoft Docs – Configure custom domains.
If renewal still fails, raise a support request due to possible backend state issues, and immediately switch to a customer-managed certificate (e.g., Azure Key Vault integration) to restore service. This avoids downtime during platform transition and aligns with Microsoft’s recommended production approach Microsoft Docs – Use Key Vault certificates.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Answer 2

Hi @Rodolfo Grave

Thank you for reaching out to Microsoft Q&A.

Backend Engineering team has confirmed this issue is caused by a bug and they are still investigating, but they have provided below resolution for your issue:

For service "rsi-api" I saw customer changed to use their own certificate instead of free certificate, so nothing I can do here to change back for them to keep using free certificate. For service "nemsprdwebappp0apimngt", I manually fix the custom domain issue, their custom domain should be able to use already with free certificate.

Share via

APIM error with managed certificate - Failed to update API Management service hostnames

2 answers

Your answer